So, after writing my previous post, I figured I'd talk a bit about how folks can use sessions and the cookie-based cflogin together.
Out of the box the first issue you run into is that sessions have a default timeout of twenty minutes, while cflogin has a timeout of thirty minutes. You could modify the timeout for either the session or cflogin scope.
What I typically do is a bit simpler. I check to see if a particular session variable exists, one that I set when I log a user on. If the variable does not exist, I call cflogout to ensure the cflogin scope is cleared.
Another version of this code handles both the session timing out and allowing for a forced logout.
This will clear both scopes if either the session ends or if the user choses to logout.